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A FILTER AND A METHOD OF FILTERING ELECTRONIC MESSAGES 



INTRODUCTION 

The present Invention relates to a filter for Altering electronic messages e.g. for discharging 
spam mail from an electronic mailing system. In particular, the Invention relates to a filter for 
5 filtering electronic messages, said fitter comprising: 

■ 

- storage space for an allowed list comprising identification Inslgrtlas of senders 
which have been approved for sending messages to a recipient, 

- means for receiving a first electronic message from a sender, 

- means far capturing from the message an identification Insignia of the sender, 

10 - means for capturing from the message an Identification Insignia of the 

recipient, 



- first check means for comparing the identification Insignia with the allowed list 
for determining either to withhold the message or to forward the message to 
the recipient, 



15 ~ means for storing the message and insignia, 

- means for generating a return mall to the sender In case the identification 
insignia is not Included In the allowed list, the means for returning the mall 
being adapted to Include In the returned mail a unique code, and a message 
for the sender to reply to the return mail by sending it back without changing 

20 the unique code, 

- means for storing the unique code and relating It to the insignia, and 



- second check means for receiving a second electronic message and for 
recognising the second message being a reply to the returned mail. 

Accordingly, the filter is of the kind wherein a sender's address is compared with a list of 
25 allowed addresses, and If the address is not contained therein, a reply is generated for the 
sender requesting completion of a registration process. 
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BACKGROUND OF THE INVENTION 

In parallel with the Increasing growth of popularity of electronic mailing systems for 
exchanging Information globally/ the desire of reducing the number of received messages by 
automatically filtering out unwanted messages has Increased. Spam mall, I.e. mall messages 
5 which are forwarded to a large number of unknown recipients e.g. with the purpose of 

advertising or In general for distributing Information can slow down mall servers severely by 
occupying processor and storage resources, and, In worst case, the users may In annoyance 
over a large number of Irrelevant messages overlook messages of Importance. 

Filters of the above described kind exist already. In US 6,199402 the prompt Is designed to 
10 require manual operation whereby an automatic reply set up by a computer system, e.g. a 
computer system adapted for forwarding messages to a large group of recipients, are filtered 
out. The required manual operation could be a required response to a question, e.g. *what is 
the colour of the sky", or *what is the current month". In such a system, there is always a 
potential risk that persons of Interest to the recipient get annoyed oyer the troubles, and e.g. 
15 after having given a wrong answer, e.g. by misspelling the colour of the sky, give up trying 
to reach the recipient. 

DESCRIPTION OF THE INVENTION 

It is an object of the present invention to enable filtering of undesired mails from desired 
mails without requiring burdensome Implication of the sending or the receiving part. 

20 Accordingly, the invention, In a first aspect, provides a filter of the above-mentioned kind, 
and further comprising: prioritising means which, In response to recognition of the second 
message being a reply to the returned mall, assigns a priority to each of the Identification 
insignias of the senders of the first messages. The filter further comprising means for 
selecting Identification Insignias and adding the selected Insignias to the allowed list, wherein 

25 the means for selecting are adapted to carry out the selection according to the priorities 
assigned to the identification insignias. 

Since the user is not prompted for any specific answer but only Is requested to push a 
"Reply" button, merely nothing should prevent a user from continuing an attempt to send a 
desired electronic message to a recipient. Moreover, those who, In spite of the requirement 
30 for replying to the message, attempts to send spam mail will not get directly through to the 
recipient Instead, Identi flcatlon insignias of all replying senders are prioritised for further 
selection of Insignias which will enter the allowed list. As a consequence of the prioritising, it 
Is possible to do the final selection, e.g. manually without exercising an excessive work load. 



Inspicos/30/03/2004/10 : 14 



'30/03 2004 TUE 13:15 FAX +45 45166168 Iospicos A/S -m»-> PVS ©OO4/O15Q/0 . 



15713YY00 



Person Q sending from the domain DOTCOMPANYNAME is not on the allow list but the 
message content contains a word recognised by the rule and therefore the Insignia is added 
to the allow list and the mall Is delivered to the recipient. As an example, the message may 
35 contain a word which indicates that the sender knows the recipient very well, e.g. the 
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The filter thus combines two separate filtering processes, and the combination provides a 
reduced number of received spam mails, and a reduced number of senders giving up an 
attempt to communicate a desirable message. 

a 

Often, electronic mail systems, work with multiple addresses (IP addresses). On some 
5 addresses they can send out messages and on other addresses they can receive messages. 
The addresses are listed In the so called dns entries. It may therefore be an advantage to 
provide in the filter, means for capturing from the message a list with multiple addresses 
from which the sender has access to send messages. If sender Q uses a mail system with 5 
addresses, the filter should be able to obtain from this sender a list containing all 5 
10 addresses. During the selection of inslgnias to be added to the allowed list, all 5 Insignias 
should be added In one process step. In that way, It can be prevented that sender Q caused 
by an unsuspected use of another of the 5 addresses In a later attempt has to go through the I 
complete acceptance procedure again. 



Sometimes, electronic messages are communicated between large groups of people, I.e. one 
15 specific mail could be send to a plurality of recipients, and each recipient can choose a 'Reply 
to Air command. In this case, acceptance of one person amongst a group of persons may 
advantageously Imply an automatic acceptance of other people in that group. For that 
purpose, the filter may comprise means for generating a predict allowed list comprising 
Identification Insignias of third party mall recipients Included by the sender In the first or the ; 
20 second electronic message. This list can be used in rule based selection methods by the j 
prioritising means. \ 



Normally, the prioritizing of the identification insignias eases the adding of Insignias to the . 
allowed list for the person In charge of this task. However, in one preferred embodiment, the 

filter may comprise a rule based selection method which, based on recognition of specific j 

25 patterns in the prioritised insignias or mail content can select specific Insignias directly for the 1 

allowed list without user intervention. As an example, such ruled based method could be t 

• 

adapted to enter all insignias except Insignias containing a specific domain name, e.g. } 
*hotmair or similar *free of charge" domains. In another example, the rule based method ( 
could further be adapted to analyse the content of the message, e.g. for Identifying a specific i 

• 

30 frequency of occurrence of one or more predetermined keywords In an electronic message. . \ 
Accordingly, the following can exemplify the situation: ] 
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message may contain names or expression only being used within a narrow group of people. 
In another example, a message contains a word which removes the assodated Insignia from 
an allowed list, e.g. words which Indicates that It could be a spam mall. 

In a second aspect, the invention provides a method for filtering messages and In accordance 
5 with the features described for the. first aspect of the invention. 

DETAILED DESCRIPTION OF THE INVENTION \ 

i 

In the following, the Invention will be described In further details with reference to the j 
drawing in which: ! 

V 

I 

Figs. 1 and 2 show a diagram of a software implemented filter for filtering spam messages | 
10 from desired messages, and 

i 

Fig. 3 shows a screen dump from a computer implementation of the invention. ; 

* 

The following description is based on the implementation of the invention In a computer 
system for filtering e-mail messages. The Implementation is done as a SMTP gateway but It 

< 

could also have been implemented as a part of a messaging system (e.g, Microsoft Exchange 
15 server, Lotus Notes or Novell GroupWIse). Reference is further made to the 'Simple mail , 
transfer protocol", Jonathan B. Postel, RFC 821 of August 1982 from Information Sciences 
Institute, University of Southern California, Marina del Rey, California and STANDARD FOR 
THE FORMAT OF ARPA INTERNET TEXT MESSAGES August 13, 1982 Revised by David H. 
Crocker Dept. of Electrical Engineering University of Delaware, Newark, DE 19711 Network: 
20 DCrocker @ UDel-Relay. 

Incoming Emails: 

* 

An email Is received from the sender via the SMTP daemon on TCP port 25 (RFC 821) on the 
receiving server 1. The receiving server then extracts the sender Insignia from the Mall From: 
on the SMTP protocol and the IP address of the sending server from the IP protocol 1. The 
25 receiving server then checks the insignia against the black list 2 if the insignia Is Included In 
the black list, the email Is rejects and the sender's server is Informed about this via an error 
message on the SMTP protocol 3. 

If the insignia is not included in the black list the receiving server checks the subject line 

« • 

from the mime message (RFC 822, I.e. standard for the format of.arpa internet text 



t&OOS/OlSg/Q 



Insplcos/30/03/2004/ 10:14 



•30/03 2004 TUE 13:15 FAX +45 45166166 Insplcos A/S PVS SJOOB/OISq^IJ 
• 15713YY00 

5 

MESSAGES August 13, 1982, Revised by David H. Crocker. www.f3QS.orQ/rfcs/rfc822.htm]) for a unique 
code and compares this code and the Insignia with the list of previously generated key pairs 
4. If the incoming email does not contain a valid key pair the receiving server then checks If 
the insignia Is on the allow list 13. If the insignia is not on the allow list the receiving server 
5 wiii send back a reply request to the sender by doing the steps described in the following 
text. The receiving server generates an error message on the SMTP protocol that Informs the 
sending server that the email could not be received because the sender Is not registered as a 
valid sender of mall to the receiver 14. After this step, the SMTP communication Is either 
dosed by the sending server or a new email Is delivered to the receiving server. The 

10 receiving server then prioritizes the incoming email according to a given rule set and assigns 
a priority value to the email message 15. If the assigned value is not exceeding a given 
threshold value a Unique ID is generated by the receiving system 18. The Incoming email, 
insignia and Unique ID is then stored by the receiving server for later retrieval 19. The 
receiving server sends an email to the sender of the Incoming email asking to reply to it 

15 without changing the subject line of the mime message (RFC 822) 20. 

If the incoming email did get a priority value exceeding the given threshold value le the 
insignia of the sender Is added to the allow list 17. 

If the incoming email sender Insignia was on the allow list 13 then the receiving server 
captures the CC; from the mime message and stores them the predict allow list for later • 
20 retrieval 11. The email Is then delivered to the recipient mail box or forwarded to the next 
step 12. 

If the email did contain a valid key pair 4 the receiving server will prioritize the email 
message and assign it a priority value 5. If the assigned value is not exceeding a given 
threshold the choice of allowing the email is up to the administrator 7. If the email Is not 

25 approved by the administrator the original message, unique ID and Insignia Is deleted from 
storage space 8.1f the email is approved by the administrator or had a priority value 
exceeding the threshold 6 the insignia Is added to the allow list 9. The receiving system then 
informs the sender by sending an email that he can now send emails to the recipient and that 
the previously sent email will be delivered 21.The receiving system captures the CC: from 

30 the mime message and stores them In the predict allow list for later retrieval 11. 

The email is then delivered to the recipient mall box or forwarded to the next hop 12. Then 
the receiving system deletes the Email, Insignia and unique ID from storage 10. 
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Outgoing Emails: 

* * 

An email is received from the sender via the SMTP daemon on TCP port 25 (RFC 821) on the 
server 23 from an Internal sender. The server adds the insignia of the recipient/recipients 
captured from the SMTP rcpt to: (RFC 821) on the Allow list 24. The email Is delivered to the 
5 recipients SMTP via TCP port 25 (RFC 821) 25. 

Description of technical terms In one specific Implementation of the invention: 

The simplest form of an Insignia Is an email address or the domain part of the sender's email 
address. More complex Inslgnias can include an email address with or without a list of IP 
addresses from which a user can send! Alternatively, the Insignia may include a domain with 
10 or without a list for IP addresses from which the user from that domain can send. 

The domain part could be defined as the sub string starting after the % @' sign and ending at 
the end of the email address Including the last character. 

The storage space could be defined as space on a harddlsk or space on a set of harddisks 
(Raid set) in which the Inslgnias are stored as records on the insignia list (allow list and 
15 predict allow list). An allow list can in the simplest form consists of only sender inslgnias or 
more complex to allow fine grained control by making a list that Includes a relationship 
between a sender insignia and a recipient insignia. 

The system is connected to the Internet and running a SMTP daemon on TCP port 25 from 
which it can receive incoming messages from senders connected to the same net. 

Using the SMTP protocol specified In RFC 821 the system captures the sender's email 
address, I.e. an Identification insignia from the mall from: command. Further the system 
captures the sender's IP address from the TCP layer. By use of the SMTP protocol specified in 
RFC 821 the system captures the sender's email address insignia from the rcpt to: command* 

The system compares the sender Insignia with the Inslgnias stored in the allow list using the 
same type of Insignia record (simple or complex) as defined by the allow list record for a 
specific record. 

The Message and the Insignia could be stored in a space on a harddlsk or In a space on a set 
of harddisks (Raid set) in which the message and insignia is stored for later retrieval. 
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If the Identification insignia is not Included In the allowed list, a return mall to the sender Is 
generated in program memory and send to the sender via the STMP daemon using TCP PORT 
2S.TTiis return message subject field (RFC 822) Includes a 128 bit value code converted to a 
string plus a word that can be scanned for In the Incoming email messages (e.g. ID= 
C4389FB[>.0872-4077-8FFF«0001901F1D89). The code Is generated by making a random 
128 bit number and then converting It to a string. Subsequently, the unique code and a 
relation between the Insignia are stored as a key pair In a space on a harddisk or space on a 
set of harddlsks (Raid set). The insignia Is stored with a pointer to the code for later retrieval. 

Capturing the unique ID can be done by scanning the Incoming email messages sutyect field 
(RFC 822) for a word (e.g. ID=) and then capturing the substring containing the next 19 
characters after the ID=. 

■ 

Checking the validity for an Incoming unique Id and Insignia can be done by matching up the 
key pair represented by these two values and the key pair list generated by the first 
message. 

15 Prioritizing the message can be done by having static or dynamic lists of words, email 

addresses (predicts allow list) and/or domains which Is assigned a weight value stored In a 
space on a harddisk or in a space on a set of harddlsks (Raid set). The entitles in the list are 
then compared to the content of the message and Inslgnlas word by word or insignia by 
Insignia. A value equal to the sum of the weights values for all matches is attached to the 
20 message as a priority value. 

The choice of allowing the message could be up to the administrator. For this purpose a GUI 
Is designed to display the needed Information for the administrator to make the choice In a 
list sorted by the priority value -the higher the value the more Important the message Is, The 
GUI In question Is shown in Fig. 3. 

25 ' An Internal sender can be detected by using the sender's IP address and matching It to a list 
consisting of predetermine address IP for internal sender. The list could be stored as records 
in a database on a space on a harddisk or In a space on a set of harddlsks (Raid set). 
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1. A filter for Altering electronic massages, said filter comprising: 

- storage space for an allowed list comprising Identification insignias of senders 
which have been approved for sending messages to a recipient, 

5 - means for recelvtng a first electronic message from a sender, 

- means for capturing from the message an Identification Insignia of the sender, 

- means for capturing from the message an Identification Insignia of the recipient, 

- first check means for comparing the identification Insignia with the allowed list for 
determining either to withhold the message or to forward the message to the 

10 recipient, 

- means for storing the message and Insignia, 

- means for generating a return message to the sender in case the identification 
insignia is not Included in the allowed list, the means for returning the message 
being adapted to include in the returned message a unique code, and a message. 

15 for the sender to reply to the returned message by sending it back without 

changing the unique code, 

- means for storing the unique code and relating It to the insignia, and 

- second check means for receiving a second electronic message and for 
recognising the second message being a reply to the returned message, 

20 characterised in that the filter further comprises: 

- prioritising means which, in response to recognition of the second message being 
a reply to the returned message, assigns a priority to each of the Identification 
insignias of the senders of the first messages, and 
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- means for selecting Identification Inslgnias and adding the selected Inslgnias to 
the allowed list, wherein the means for selecting are adapted to carry out the 
selection according to the priorities assigned to the Identification Inslgnias. 

2. A filter according to claim 1, wherein the second check means performs the recognition by: 

5 - capturing In the second message the unique code, and a second Identification 

Insignia of the sender of the second message, and 

- checking that the unique code has not changed, and that the second 
Identification insignia corresponds to the first identification insignia. 

3. A filter according to claim 1 or 2, further comprising means for capturing from a server a 
10 list comprising at least one address from which the sender has access to send messages 

from. 

4. A filter according to claim 3, further comprising means for checking that the sender is 
sending from an address Included In the list. 

5. A filter according to any of the preceding claims, further comprising means for generating 
15 a predict allowed list comprising Identification Inslgnias of third party message recipients 

included by the sender in the first or the second electronic message. 

6. A filter according to any of the preceding claims, further comprising rule based selection 
means which, based on recognition of a specific pattern in the content of the message sets 
the priority of the identification Insignlas. 

20 7. A filter according to any of the preceding claims, further comprising means for 

automatically selection of Inslgnias with priorities above a predetermined value for the 
allowed list. 

8. A filter according to any of the preceding claims, wherein the identification inslgnias of the 
senders and the data Identifying the sender include at least a domain Identification of the 

25 sender's electronic mall address. 

9. A filter according to any of the preceding claims, further comprising means for withholding 
the electronic message from flnai delivery to the Intended recipient until an administrator has 
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accepted delivery of the message to the recipient, the administrator being one of a human 
administrator, a software-Implemented administrator, and the recipient of the message* 

10. A filter according to any of the preceding claims, further comprising storage for a black- 
list, and means for checking occurrence of an Identification Insignia In the black-list prior to 
5 • comparing the Identification Insignia with the allowed list 

* 11. A filter according to any of the preceding claims, comprising means for communicating, in 
an SMTP message, and in response to receiving the message from a sender with an Insignia 
not Included in the allowed list or optionally, with an Insignia included in the black-list, that 
the message could not be delivered to the recipient. 

■ 

10 12. A filter according to dalm 11, comprising counting means for counting a number of 

reoccurrences of identical messages being received, and for adding the insignia of the sender 
of such messages which reoccur more than a pne-specified number of times to the black-list. 

13. A filter according to any of the preceding claims, comprising means for adding to the 
allowed list, Insignias of potential senders to whom the recipient has previously been sending 

15 messages. 

* 

14. A filter according to any of the preceding claims, comprising means for measuring a 
frequency of messages to and from a specific sender, and upon detection of frequencies 
above a pre-speclfled level, for forwarding the first message to the recipient Irrespective if 
the Insignia of the sender Is not In the allowed list. 

20 15, A filter according to any of the preceding claims, wherein the means for generating a 
return message to the sender is adapted to send the return message by use of an 
identification insignia corresponding to the identification insignia of the Intended recipient of 
the first message. 

16. A method for filtering electronic messages, said method comprising the steps of: 

25 - assigning space In a computer system for a list comprising Identification Insignias 

of senders which have been approved for sending messages to a recipient, 

- receiving a first electronic message from a sender, 

- capturing from the message an Identification Insignia of the sender, 
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* 

» 

- capturing from the message an Identification insignia of the recipient, 

- comparing the Identification Insignia with the allowed list for determining either to 
withhold the message or to forward the message to the recipient, 

- storing the message and Insignia In a storage space of the computer system, 

5 - generating a return message to the sender In case the Identification Insignia Is not 

Included In the allowed list, and Including In the returned message a unique code, 
• and a message for the sender to reply to the return message by sending it back 
without changing the unique code, 

« 

* storing the unique code and relating it to the Insignia, and 

10 - receiving a second electronic message and recognising the second message being 

a reply to the returned message, 

characterised in that the method comprises the steps of: 

- in response to recognition of the second message being a reply to the returned 
message, assigning a priority to each of the identification insignias of the senders 

15 of the first messages, and 

- selecting identification insignias and adding the selected insignias to the aiiowed 
list, wherein the selecting is carried according to the priorities assigned to the 
identification insignias. 
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ABSTRACT 



The J nvention provides a filter for filtering out spam malls before they arrive at a recipient's 
computer. Upon receiving a mail, the filter checks an associated Insignia, e.g. the e-mail 



address of the sender, and If the sender is not yet In the allowed list, a reply mail is 
5 generated for the sender. When the sender responds to the reply, a priority Is assigned to the 
Insignia and the firstly forwarded message is held back until the insignia Is selected to the 
allowed list. The filter could be Implemented In standard computer systems. The Invention 
further provides a method of filtering messages. 
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